revocation: Check that nonce in OCSP response matches
authorTobias Brunner <tobias@strongswan.org>
Fri, 22 Nov 2019 14:09:55 +0000 (15:09 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 Dec 2019 08:52:30 +0000 (09:52 +0100)
src/libstrongswan/plugins/revocation/revocation_validator.c

index 68292e3..d2f662d 100644 (file)
@@ -64,6 +64,8 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
                                                                 certificate_t *issuer)
 {
        certificate_t *request, *response;
+       ocsp_request_t *ocsp_request;
+       ocsp_response_t *ocsp_response;
        chunk_t send, receive = chunk_empty;
 
        /* TODO: requestor name, signature */
@@ -83,7 +85,6 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
                request->destroy(request);
                return NULL;
        }
-       request->destroy(request);
 
        DBG1(DBG_CFG, "  requesting ocsp status from '%s' ...", url);
        if (lib->fetcher->fetch(lib->fetcher, url, &receive,
@@ -92,6 +93,7 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
                                                        FETCH_END) != SUCCESS)
        {
                DBG1(DBG_CFG, "ocsp request to %s failed", url);
+               request->destroy(request);
                chunk_free(&receive);
                chunk_free(&send);
                return NULL;
@@ -105,8 +107,19 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
        if (!response)
        {
                DBG1(DBG_CFG, "parsing ocsp response failed");
+               request->destroy(request);
+               return NULL;
+       }
+       ocsp_request = (ocsp_request_t*)request;
+       ocsp_response = (ocsp_response_t*)response;
+       if (!chunk_equals_const(ocsp_request->get_nonce(ocsp_request),
+                                                       ocsp_response->get_nonce(ocsp_response)))
+       {
+               DBG1(DBG_CFG, "nonce in ocsp response doesn't match");
+               request->destroy(request);
                return NULL;
        }
+       request->destroy(request);
        return response;
 }